CVE-2024-49391
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Cyber Files for Windows due to DLL hijacking. Attackers with local access can exploit improper DLL loading to execute arbitrary code with elevated privileges. Users running affected versions of Acronis Cyber Files on Windows are vulnerable.
💻 Affected Systems
- Acronis Cyber Files
📦 What is this software?
Cyber Files by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where an attacker gains SYSTEM/administrator privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local attackers or malware with user-level access escalate to administrative privileges, allowing them to disable security controls, modify system configurations, and access sensitive data.
If Mitigated
With proper access controls and least privilege principles, impact is limited to the compromised user account, though attackers could still perform actions within that user's elevated permissions.
🎯 Exploit Status
DLL hijacking vulnerabilities typically have low exploitation complexity once the vulnerable DLL is identified. Requires local access and ability to place malicious DLL in appropriate directory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 9.0.0x24 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-7220
Restart Required: Yes
Instructions:
1. Download latest version from Acronis official website. 2. Run installer with administrative privileges. 3. Follow installation prompts. 4. Restart system when prompted.
🔧 Temporary Workarounds
Restrict write permissions to application directories
windowsPrevent unauthorized users from writing DLL files to Acronis Cyber Files directories
icacls "C:\Program Files\Acronis\Cyber Files\*" /deny Users:(W)
Enable Windows Defender Application Control
windowsImplement application whitelisting to prevent unauthorized DLL loading
🧯 If You Can't Patch
- Implement strict least privilege access controls - ensure users don't have administrative privileges unnecessarily
- Monitor for suspicious DLL loading events and file creation in Acronis directories using endpoint detection
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Files version in Control Panel > Programs and Features. If version is earlier than 9.0.0x24, system is vulnerable.Check Version:
wmic product where "name like 'Acronis Cyber Files%'" get versionVerify Fix Applied:
Verify installed version is 9.0.0x24 or later. Test by attempting to place a test DLL in Acronis directory - should be blocked if workarounds are applied.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 (process creation) showing Acronis processes loading DLLs from unusual locations
- Sysmon Event ID 7 (Image loaded) showing DLLs loaded from user-writable directories
Network Indicators:
- No network indicators - this is a local exploitation vulnerability
SIEM Query:
source="windows" AND (event_id=4688 OR event_id=7) AND process_name="*Acronis*" AND (dll_loaded="*Users*" OR dll_loaded="*Temp*")